Attachment #578306 for bug #682084

View | Details | Raw Unified | Return to bug 682084
Collapse All | Expand All




#include <sched.h>
#include <signal.h>
#include <stddef.h>
#include <stdlib.h>
#include <string.h>
#include <sys/mman.h>
#include <sys/prctl.h>
#include <sys/resource.h>
#include <sys/socket.h>

  BPF_ASSERT_EQ(EPERM, fork_errno);
}

BPF_TEST_C(BaselinePolicy, SystemEperm, BaselinePolicy) {
  errno = 0;
  int ret_val = system("echo SHOULD NEVER RUN");
  BPF_ASSERT_EQ(-1, ret_val);
  BPF_ASSERT_EQ(EPERM, errno);
}

BPF_TEST_C(BaselinePolicy, CloneVforkEperm, BaselinePolicy) {
  errno = 0;
  // Allocate a couple pages for the child's stack even though the child should
  // never start.
  constexpr size_t kStackSize = 4096 * 4;
  void* child_stack = mmap(nullptr, kStackSize, PROT_READ | PROT_WRITE,
                           MAP_PRIVATE | MAP_ANONYMOUS | MAP_STACK, -1, 0);
  BPF_ASSERT_NE(child_stack, nullptr);
  pid_t pid = syscall(__NR_clone, CLONE_VM | CLONE_VFORK | SIGCHLD,
                      static_cast<char*>(child_stack) + kStackSize, nullptr,
                      nullptr, nullptr);
  const int clone_errno = errno;
  TestUtils::HandlePostForkReturn(pid);

  munmap(child_stack, kStackSize);

  BPF_ASSERT_EQ(-1, pid);
  BPF_ASSERT_EQ(EPERM, clone_errno);
}

BPF_TEST_C(BaselinePolicy, CreateThread, BaselinePolicy) {
  base::Thread thread("sandbox_tests");
  BPF_ASSERT(thread.Start());




#if !defined(OS_NACL_NONSFI)
// Allow Glibc's and Android pthread creation flags, crash on any other
// thread creation attempts and EPERM attempts to use neither
// CLONE_VM nor CLONE_THREAD (all fork implementations), unless CLONE_VFORK is
// present (as in newer versions of posix_spawn).
ResultExpr RestrictCloneToThreadsAndEPERMFork() {
  const Arg<unsigned long> flags(0);


      AnyOf(flags == kAndroidCloneMask, flags == kObsoleteAndroidCloneMask,
            flags == kGlibcPthreadFlags);

  // The following two flags are the two important flags in any vfork-emulating
  // clone call. EPERM any clone call that contains both of them.
  const uint64_t kImportantCloneVforkFlags = CLONE_VFORK | CLONE_VM;

  const BoolExpr is_fork_or_clone_vfork =
      AnyOf((flags & (CLONE_VM | CLONE_THREAD)) == 0,
            (flags & kImportantCloneVforkFlags) == kImportantCloneVforkFlags);

  return If(IsAndroid() ? android_test : glibc_test, Allow())
      .ElseIf(is_fork_or_clone_vfork, Error(EPERM))
      .Else(CrashSIGSYSClone());
}


Return to bug 682084

Lines 10-16 Link Here

(-)a/sandbox/linux/seccomp-bpf-helpers/baseline_policy_unittest.cc (+29 lines)
10	#include <sched.h>	10	#include <sched.h>
11	#include <signal.h>	11	#include <signal.h>
12	#include <stddef.h>	12	#include <stddef.h>
		13	#include <stdlib.h>
13	#include <string.h>	14	#include <string.h>
		15	#include <sys/mman.h>
14	#include <sys/prctl.h>	16	#include <sys/prctl.h>
15	#include <sys/resource.h>	17	#include <sys/resource.h>
16	#include <sys/socket.h>	18	#include <sys/socket.h>
Lines 130-135 Link Here
130	BPF_ASSERT_EQ(EPERM, fork_errno);	132	BPF_ASSERT_EQ(EPERM, fork_errno);
131	}	133	}
132		134
		135	BPF_TEST_C(BaselinePolicy, SystemEperm, BaselinePolicy) {
		136	errno = 0;
		137	int ret_val = system("echo SHOULD NEVER RUN");
		138	BPF_ASSERT_EQ(-1, ret_val);
		139	BPF_ASSERT_EQ(EPERM, errno);
		140	}
		141
		142	BPF_TEST_C(BaselinePolicy, CloneVforkEperm, BaselinePolicy) {
		143	errno = 0;
		144	// Allocate a couple pages for the child's stack even though the child should
		145	// never start.
		146	constexpr size_t kStackSize = 4096 * 4;
		147	void* child_stack = mmap(nullptr, kStackSize, PROT_READ \| PROT_WRITE,
		148	MAP_PRIVATE \| MAP_ANONYMOUS \| MAP_STACK, -1, 0);
		149	BPF_ASSERT_NE(child_stack, nullptr);
		150	pid_t pid = syscall(__NR_clone, CLONE_VM \| CLONE_VFORK \| SIGCHLD,
		151	static_cast<char*>(child_stack) + kStackSize, nullptr,
		152	nullptr, nullptr);
		153	const int clone_errno = errno;
		154	TestUtils::HandlePostForkReturn(pid);
		155
		156	munmap(child_stack, kStackSize);
		157
		158	BPF_ASSERT_EQ(-1, pid);
		159	BPF_ASSERT_EQ(EPERM, clone_errno);
		160	}
		161
133	BPF_TEST_C(BaselinePolicy, CreateThread, BaselinePolicy) {	162	BPF_TEST_C(BaselinePolicy, CreateThread, BaselinePolicy) {
134	base::Thread thread("sandbox_tests");	163	base::Thread thread("sandbox_tests");
135	BPF_ASSERT(thread.Start());	164	BPF_ASSERT(thread.Start());

Lines 135-141 Link Here

(-)a/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc (-2 / +11 lines)
135	#if !defined(OS_NACL_NONSFI)	135	#if !defined(OS_NACL_NONSFI)
136	// Allow Glibc's and Android pthread creation flags, crash on any other	136	// Allow Glibc's and Android pthread creation flags, crash on any other
137	// thread creation attempts and EPERM attempts to use neither	137	// thread creation attempts and EPERM attempts to use neither
138	// CLONE_VM, nor CLONE_THREAD, which includes all fork() implementations.	138	// CLONE_VM nor CLONE_THREAD (all fork implementations), unless CLONE_VFORK is
		139	// present (as in newer versions of posix_spawn).
139	ResultExpr RestrictCloneToThreadsAndEPERMFork() {	140	ResultExpr RestrictCloneToThreadsAndEPERMFork() {
140	const Arg<unsigned long> flags(0);	141	const Arg<unsigned long> flags(0);
141		142
Lines 154-161 Link Here
154	AnyOf(flags == kAndroidCloneMask, flags == kObsoleteAndroidCloneMask,	155	AnyOf(flags == kAndroidCloneMask, flags == kObsoleteAndroidCloneMask,
155	flags == kGlibcPthreadFlags);	156	flags == kGlibcPthreadFlags);
156		157
		158	// The following two flags are the two important flags in any vfork-emulating
		159	// clone call. EPERM any clone call that contains both of them.
		160	const uint64_t kImportantCloneVforkFlags = CLONE_VFORK \| CLONE_VM;
		161
		162	const BoolExpr is_fork_or_clone_vfork =
		163	AnyOf((flags & (CLONE_VM \| CLONE_THREAD)) == 0,
		164	(flags & kImportantCloneVforkFlags) == kImportantCloneVforkFlags);
		165
157	return If(IsAndroid() ? android_test : glibc_test, Allow())	166	return If(IsAndroid() ? android_test : glibc_test, Allow())
158	.ElseIf((flags & (CLONE_VM \| CLONE_THREAD)) == 0, Error(EPERM))	167	.ElseIf(is_fork_or_clone_vfork, Error(EPERM))
159	.Else(CrashSIGSYSClone());	168	.Else(CrashSIGSYSClone());
160	}	169	}
161		170